Microsoft.IdentityModel.Tokens Namespace

Windows Identity Foundation

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

Defines an AuthorizationPolicy that carries the IDFx Claims. When IDFx is enabled a new set of Security Token Authenticators are added to the system. These Authenticators will generate the new Claims defined in Microsoft.IdentityModel.Claims.

SecurityTokenManager that enables plugging custom tokens easily. The SecurityTokenManager provides methods to register custom token providers, serializers and authenticators. It can wrap another Token Managers and delegate token operation calls to it if required.

Custom ServiceAuthorizationManager implementation. This class substitues the WCF generated IAuthorizationPolicies with AuthorizationPolicy. These policies do not participate in the EvaluationContext and hence will render an empty WCF AuthorizationConext. Once this AuthorizationManager is substitued to a ServiceHost, only IClaimsPrincipal will be available for Authorization decisions.

Provides delayed resolution of security keys by resolving the SecurityKeyIdentifierClause or SecurityKeyIdentifier only when cryptographic functions are needed. This allows a key clause or identifier that is never used by an application to be serialized and deserialzied on and off the wire without issue.

When caching an SCT there are two indexes required. One is the ContextId that is unique across all SCT and the next is KeyGeneration which is unique within an SCT. When an SCT is issued it has only a ContextId. When the SCT is renewed the KeyGeneration is added as an second index to the SCT. Now the renewed SCT is uniquely identifiable via the ContextId and KeyGeneration. The class SecurityTokenCacheKey is used as the index to the SCT cache. This index will always have a valid ContextId specified but the KeyGeneration may be null. There is also an optional EndpointId which gives the endpoint to which the token is scoped.

This class derives from System.ServiceModel.Security.WSSecurityTokenSerializer and wraps a collection of SecurityTokenHandlers. Any call to this serilaizer is delegated to the token handler and delegated to the base class if no token handler is registered to handle this particular token or KeyIdentifier.